FOR508: Advanced Digital Forensics and Incident Response

FOR508: Advanced Digital Forensics and Incident Response will help you determine:

How the breach occured

Compromised and affected systems

What attackers took or changed

Incident containment and remediation

THE ADVANCED PERSISTENT THREAT IS IN YOUR NETWORK - TIME TO GO HUNTING!

DAY 0: A 3-letter government agency contacts you to say critical information was stolen through a targeted attack on your organization. They won't tell how they know, but they identify several breached systems within your enterprise. An Advanced Persistent Threat adversary, aka an APT, is likely involved - the most sophisticated threat you are likely to face in your efforts to defend your systems and data.

Over 80% of all breach victims learn of a compromise from third-party notifications, not from internal security teams. In most cases, adversaries have been rummaging through your network undetected for months or even years.

Incident response tactics and procedures have evolved rapidly over the past several years. Data breaches and intrusions are growing more complex. Adversaries are no longer compromising one or two systems in your enterprise; they are compromising hundreds. Your team can no longer afford antiquated incident response techniques that fail to properly identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident.

A hands-on enterprise intrusion lab - developed from a real-world targeted APT attack on an enterprise network and based on how an APT group will target your network - leads you through the challenges and solutions via extensive use of the SANS SIFT Workstation collection of tools.

During the intrusion lab exercises, you will identify where the initial targeted attack occurred and lateral movement through multiple compromised systems. You will extract and create crucial cyber threat intelligence that can help you properly scope the compromise and detect future breaches.

During a targeted attack, an organization needs the best incident response team in the field. FOR508: Advanced Digital Forensics and Incident Response will train you and your team to respond, detect, scope, and stop intrusions and data breaches.

Overview

Incident responders should be armed with the latest tools, memory analysis techniques, and enterprise incident response methodologies in order to identify, track, and contain advanced adversaries and remediate incidents. Incident response and forensic analysts must be able to scale their response across thousands of systems in their enterprise. Enterprise scanning techniques are now a requirement to track targeted attacks by an APT group or organized crime syndicates that can rapidly propagate through hundreds of systems. Responding to this many systems cannot be accomplished using the standard "pull the hard drive" forensic examination methodology. Such an approach will alert the adversaries that you are aware and may allow them to quickly adapt and exfiltrate sensitive information in response. This section examines the six-step incident response methodology as it applies to an enterprise's response during a targeted attack. We will show the importance of developing security intelligence in affecting the adversaries "kill chain." We will also demonstrate live response techniques and tactics that can be applied on a single system and across the entire enterprise.

Students will receive a full six-month license of F-Response Enterprise Edition, enabling each student to use his or her own workstation or the SIFT workstation to connect to hundreds or thousands of systems in the enterprise. This capability is used to benchmark, facilitate, and demonstrate new incident response technologies that enable a responder to look for indicators of compromise across the entire enterprise.

Exercises

SIFT Workstation 3 orientation

Mounting remote/local drives via SIFT Workstation

Remote enterprise memory acquisition using F-Response Enterprise

Remote enterprise response and analysis using F-Response Enterprise

CPE/CMU Credits: 6

Topics

Real Incident Response Tactics

Preparation: Key tools, techniques, and procedures an incident response team needs to properly respond to intrusions

Identification: Proper scoping of an incident and detecting all compromised systems in the enterprise

Containment: Identification of exactly how the breach occurred and what was stolen

Eradication: Determining the key steps that must be taken to help stop the current incident

Recovery: Recording of the threat intelligence to be used in the event of a similar adversary returning to the enterprise

Lessons Learned

Threat and Adversary Intelligence

Importance of Cyber Threat Intelligence

Understanding the "Kill Chain"

Threat Intelligence Creation and Use During Incident Response

Incident Response Team Life-Cycle Overview

Incident and Malware Detection - All Activity across a Specific System

Overview

Now a critical component of many incident response teams that detect advanced threats in their organization, memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware used by an APT group of attackers. Memory analysis traditionally was solely the domain of Windows internals experts, but the recent development of new tools makes it accessible today to anyone especially incident responders. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field. This section will introduce some of the newest free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your incident response and forensics capabilities.

Exercises

Detect unknown live and dormant custom malware in memory across multiple systems in an enterprise environment

Find APT "beacon" malware over common ports that targeted attackers use to access command and control (C2) channels

Find residual command-line input through scanning strings in memory and by extracting command history buffers

Overview

Timeline analysis will change the way you approach digital forensics and incident response. . . forever.

Learn advanced incident response techniques uncovered via timeline analysis directly from the developers who pioneered timeline analysis tradecraft. Temporal data is located everywhere on a computer system. File system modified/access/creation/change times, log files, network data, registry data, and Internet history files all contain time data that can be correlated into critical analysis to successfully solve cases. Pioneered by Rob Lee in 2001, timeline analysis has become a critical incident response and forensics technique to solve complex cases. New timeline analysis frameworks provide the means to conduct simultaneous examinations of a multitude of time-based artifacts. Analysis that once took days now takes minutes.

This section will step you through the two primary methods of building and analyzing timelines created during advanced incident response and forensic cases. Exercises will not only show analysts how to create a timeline, they will also introduce key methods to help you use those timelines effectively in your cases.

Exercises

Using timeline analysis, determine how the breach originally occurred by identifying an APT group beachhead and spear phishing attack

Target hidden and time-stomped malware and utility-ware that an APT uses to move in the network and maintain its presence

Overview

In digital forensics, many tools simply require a few mouse clicks to automatically recover data. However, this "push button" mentality has led to many inaccurate results in the past few years. It is also very difficult to identify a skilled attacker solely using antiquated and slow commercial toolsets. This section will free you from relying on "push button" forensic techniques by showing you how the engines of digital forensic tools really work. To understand how to carve out data, it is best to understand how to do it by hand and then show how automated tools should be able to recover the same data. You will learn how to perform string searches looking for specific residue from a file, as well as multiple ways to recover the file data across the layers of the file system. If a file or registry key has been wiped or deleted, this section shows how to use Windows historical artifacts to recover key pieces of the data even if they no longer exist on the system. This knowledge will allow you see beyond most anti-forensic techniques, enabling you to gain the advantage while responding to breaches in your organization and to investigate more advanced subjects actively attempting to hide from you.

Overview

The adversaries are good. We must be better.

Over the years, we have observed that many incident responders have a challenging time finding malware without pre-built indicators of compromise or threat intelligence gathered prior to a breach. This is especially true in APT group intrusions. This advanced session will demonstrate techniques used by first responders to identify malware or forensic artifacts when very little information exists about their capabilities or hidden locations. We will discuss techniques to help funnel possibilities down to the candidates most likely to be evil malware trying to hide on the system.

The section concludes with a step-by-step approach to handling some of the most difficult types of investigations. You will learn the best ways to approach intrusion and spear phishing attacks. You will know the locations you can examine to determine if file wiping occurred. Regardless of the actions hackers might take, they will always leave something that can be traced. This section will consolidate your new skills into a working attack plan to solve these difficult cases.

Overview

This incredibly rich and realistic enterprise intrusion exercise is based on a real-world advanced persistent threat (APT) group. It brings together techniques learned earlier in the week and tests your newly acquired skills in a case that simulates an attack by an advanced adversary. The challenge brings it all together using a real intrusion into a complete Windows enterprise environment. You will be asked to uncover how the systems were compromised in the initial intrusion, find other systems the adversary moved to laterally, and identify intellectual property stolen via data exfiltration. You will walk out of the course with hands-on experience investigating realistic attacks, curated by a cadre of instructors with decades of experience fighting advanced threats from attackers ranging from nation-states to financial crime syndicates and hactivist groups.

CPE/CMU Credits: 6

Topics

The Intrusion Forensic Challenge will have each incident response team analyzing multiple systems in an enterprise network.

Each incident response team will be asked to answer the following key questions during the challenge just as they would during a real-breach in their organizations:

IDENTIFICATION AND SCOPING:

1. How and when did the APT group breach our network?

2. List all compromised systems by IP address and specific evidence of compromise.

3. When and how did the attackers first laterally move to each system?

CONTAINMENT AND SECURITY INTELLIGENCE GATHERING:

4. How and when did the attackers obtain domain administrator credentials?

5. Once on other systems, what did the attackers look for on each system?

7. Determine what was stolen: Recover any .rar files or other archives exfiltrated, find encoding passwords, and extract the contents to verify extracted data.

8. Collect and list all malware used in the attack.

9. Develop and present security intelligence or an indicator of compromise (IOC) for the APT-group "beacon" malware for both host- and network-based enterprise scoping. What specific indicators exist for the use of this malware?

REMEDIATION AND RECOVERY

10. Do we need to change the passwords for every user in domain or just the ones affected by the systems compromised?

11. Based on the attacker techniques and tools discovered during incident, what are the recommended steps to remediate and recover from this incident?

a. What systems need to be rebuilt?

b. What IP addresses need to be blocked?

c. What countermeasures should we deploy to slow or stop these attackers if they come back?

d. What recommendations would you make in order to detect these intruders in our network again?

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

You can use any 64-bit version of Windows, MAC OSX, or Linux as your core operating system that also can install and run VMware virtualization products. For MACs, we recommend setting up Boot Camp and running Windows directly on your MAC. We have had challenges with VMware Fusion products with several exercises in class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool for Windows and Linux that will detect whether or not your host supports 64-bit guest virtual machines. For further troubleshooting, this article also provides good instructions for Windows users to determine more about the CPU and OS capabilities.

Please download and install VMware Workstation 11, VMware Fusion 7, or VMware Player 7 or higher versions on your system prior to class beginning. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their Web site. VMware Player is a free download that does not need a commercial license. Most students find VMware Player adequate for the course.

MANDATORY FOR508 SYSTEM HARDWARE REQUIREMENTS:

CPU: 64-bit Intel x64 2.0+ GHz processor or higher based system is mandatory for this class(Important - Please Read: a 64-bit system processor is mandatory)

RAM: 4 GB (Gigabytes) of RAM minimum (Note: We strongly recommend 8 GB of RAM or higher to get the most out of the course)

Host Operating System: Any version of Windows or MAC OSX that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player) Please note, those with MACs generally do better with Boot Camp installed and running Windows from your MAC. While it works on OSX, some students have experienced problems with VMware Fusion during the course.

Networking: Wireless 802.11 B, G, N, or AC

USB 3.0 Port(s) - highly recommended

200 Gigabyte Host System Hard Drive minimum

~100 Gigabytes of Free Space on your System Hard Drive (Note: The free space is needed for the SIFT Workstation VM and the evidence --64 GB--we will be adding to your system)

The student should have the capability to have Local Administrator Access within their host operating system

PLEASE NOTE: Do NOT Download a copy of the SIFT workstation. We will be providing you a FOR508 version specifically configured for training on Day 1 of the course.

MANDATORY FOR508 SYSTEM SOFTWARE REQUIREMENTS (Please install the following prior to the beginning of the class):

Bring/install any other forensic tool you feel could be useful (EnCase, FTK, etc). For the final challenge at the end of the course, you can utilize any forensic tool, including commercial capabilities, to help you and your team. If you have any dongles, licensed software, you are free to use it.

Do NOT Download a copy of the SIFT workstation. We will be providing you a classroom copy specifically configured for training on Day 1 of the course.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Incident Response Team Leaders and Members who regularly respond to complex security incidents/intrusions from an APT group/advanced adversaries and need to know how to detect, investigate, remediate, and recover from compromised systems across an enterprise.

Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions. Discover how common mistakes can compromise operations on remote systems, and how to avoid them. This course covers remote system forensics and data collection techniques that can be easily integrated into post-exploit operating procedures and exploit testing batteries.

SANS FOR408 and SEC504 Graduates looking to take their skills to the next level.

One of the biggest complaints you hear in the digital forensics and incident response community is the lack of realistic intrusion data. Most real-world intrusion data are simply too sensitive to be shared.

Starting over a year ago, the FOR508 course authors created a realistic scenario based on experiences surveyed from a panel of responders who regularly respond to targeted APT attacks. They helped review and guide the targeted attack "script" used to create the scenario. As a result, the authors created an incredibly rich and realistic attack scenario across multiple enterprise systems. This APT attack lab forms the basis for training during the week. The network was set up to mimic a standard "protected" enterprise network using standard compliance checklists:

Full auditing turned on per recommended FISMA guidelines

Windows domain controller (DC) set up and configured; DC hardened similar to what is seen in real enterprise networks

Systems installed with real software on them that is used (Office, Adobe, Skype, Tweetdeck, Email, Dropbox, Firefox, Chrome)

Fully patched systems (patches are automatically installed)

Enterprise incident response agents

Enterprise A/V and on-scan capability based on the DoD's Host-Based Security System (HBSS )

Discover every system compromised in your enterprise utilizing incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing attack mechanisms, lateral movement, and data exfiltration techniques.

Using the SIFT Workstation's capabilities, perform forensic analysis and incident response on any remote enterprise hard drive or system memory without having to image the system first allowing for immediate response and scalable analysis to take place across the enterprise.

Using system memory and the Volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response.

Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redline's Malware Rating Index (MRI) to quickly ascertain the threat to your organization and aid in scoping the true extent of the data breach

Track the exact footprints of an attacker crossing multiple systems and observe data they have collected to exfiltrate as you track your adversary's movements in your network via timeline analysis using the log2timeline toolset

Begin recovery and remediation of the compromise via the use of Indicators of Compromise (IOC), Threat Intelligence, and IR/Forensics key scanning techniques to identify active malware and all enterprise systems affected by the breach

Discover an adversary's persistence mechanisms to allow malware to continue to run on a system after a reboot using command-line tools such as autorunsc, psexec, jobparser, group policy, triage-ir, and IOCFinder.

Discover every system comprised in your enterprise utilizing incident response tools such as F-Response and digital forensic analysis capabilities in the SIFT Workstation to identify APT beach head and spear phishing at- tack mechanisms, lateral movement, and data exfiltration techniques.

Using the SIFT Workstation's capabilities, preform forensic analysis and incident response on any remote enterprise hard drive or system memory without having to image the system first, allowing for immediate response and scalable analysis to take place across the enterprise.

Using system memory and the Volatility toolset to discover active malware on a system, determine how the malware was placed there, and recover it to help develop key threat intelligence to perform proper scoping activities during incident response.

Detect advanced capabilities such as Stuxnet, TDSS, or APT command and control malware immediately through memory analysis using Redline's Malware Rat- ing Index (MRI) to quickly ascertain the threat to your organization and aid in scoping the true extent of the data breach

Track the exact footprints of an attacker crossing multiple systems and observe data they have collected to exfiltrate as you track your adversary's movements in your network via timeline analysis using the log2timeline toolset

Begin recovery and remediation of the compromise via the use of Indicators of Compromise (IOC), Threat Intelligence, and IR/Forensics key scanning techniques to identify active malware and all enterprise systems affected by the breach

Discover an adversary's persistence mechanisms to allow malware to continue to run on a system after a reboot using command-line tools such as autorunsc, psexec, jobparser, group policy, triage-ir, and IOCFinder.

"THE SANS508 COURSE EXCEEDED MY EXPECTATIONS IN EVERY WAY. IT PROVIDED ME THE SKILLS, KNOWLEDGE, AND TOOLS TO EFFECTIVELY RESPOND TO AND HANDLE APTS AND OTHER ENTERPRISE WIDE THREATS." -Josh Moulin NSTEC/NNSA/DOE

"THE EXAMPLES IN THE COURSE RELATE TO WHAT I NEED TO KNOW TO DEAL WITH REAL WORLD THREATS." -Tim Weaver, Digital Mtn. Inc.

"I WAS SURPRISED AND AMAZED AT HOW EASY IT IS TO DO MEMORY ANALYSIS AND HOW HELPFUL IT IS." - Brian Dugay, Apple

"THE LEVEL OF DETAIL IS AMAZING. THE METHODOLOGY IS CLEARLY EFFECTIVE AT FINDING PERTINENT ARTIFACTS." - no name

"I'VE TAKEN OTHER NETWORK INTRUSION CLASSES BUT NOTHING THIS IN-DEPTH. THE CLASS IS OUTSTANDING!" -- Craig Goldsmith, FBI

"GREAT COURSE! THIS NOT ONLY HELPS ME IN FORENSICS BUT ALSO IN CREATING USE-CASES FOR OUR OTHER INTRUSION ANALYSIS TOOLS." -Joseph Murray, Deloitte

"IT IS HARD TO REALLY SAY SOMETHING THAT WILL PROPERLY CONVEY THE AMOUNT OF MENTAL GROWTH I HAVE EXPERIENCED THIS WEEK." -Travis Farral, XTI Energy

"EXCELLENT COURSE, INVALUABLE HANDS-ON EXPERIENCE TAUGHT BY PEOPLE WHO NOT ONLY KNOW THE TOOLS AND TECHNIQUES, BUT KNOW THEIR QUIRKINESS THROUGH PRACTICAL, REAL-WORLD EXPERIENCE." -John Alexander, US Army

"THIS COURSE (FOR508) REALLY TAKES YOU FROM 0-60 IN UNDERSTANDING THE CORE CONCEPTS OF FORENSICS, ESPECIALLY THE FILE SYSTEM." -Matthew Harvey, U.S. Department of Justice

"IF YOU NEED TO TRACK DOWN WHAT HAPPENED IN YOUR ENVIRONMENTS, THIS IS A MUST HAVE COURSE!" -Fran Moniz, American National Insurance

"BEST FORENSICS TRAINING I'VE HAD SO FAR. I THOUGHT THE SOME OTHERS COURSES WERE GREAT BUT 508 IS A LOT MORE CURRENT AND APPLICABLE TO THE REAL WORLD! EXCELLENT COURSE AND INSTRUCTOR OVERALL!" -Marc Bleicher, Bit9

"THE MORE I PROGRESS THROUGH THE COURSE, THE MORE I REALIZE JUST HOW MUCH CAPACITY THERE IS TO PRODUCE ANSWERS TO TOUGH QUESTIONS. WHERE I MIGHT NOT HAVE FOUND SUPPORTING EVIDENCE IN PAST CASES, I FEEL I HAVE SO MANY NEW AVENUES TO EXPLORE. A REAL EYE-OPENER. I ALSO GREATLY APPRECIATE THE FOCUS ON INCIDENT RESPONSE." - Dave Ockwell-Jenner, SITA

"I HAVE ALREADY USED SEVERAL OF THE TOOLS/TECHNIQUES FROM THE COURSE WITH PAST-CASE EVIDENCE TO UNCOVER THINGS I DID NOT PREVIOUSLY KNOW." - Dave Ockwell-Jenner, SITA

"MY SOC FOCUSES A LOT ON INCIDENT RESPONSE AND QUICK FORENSICS, SO THE COURSE MATERIAL IS EXTREMELY VALUABLE." - Anonymous

"I ROUTINELY PERFORM LIVE MEMORY CAPTURES AND HAVE GONE THROUGH THEM LOOKING FOR THE OBVIOUS, BUT I HAD NO IDEA, UNTIL FOR508, HOW MANY ARTIFACTS ARE CONTAINED IN RAM." - M Scott Saul, FBI

"THE SANS INSTITUTE IS CURRENTLY THE LEADER IN THE COMMERCIAL IR AND COMPUTER FORENSIC TRAINING MARKET. THEY HAVE A LARGE NUMBER OF QUALITY COURSES." - Luttgens, Jason; Pepe, Matthew; Mandia, Kevin. Incident Response & Computer Forensics, Third Edition - July 2014

"YOU HAVE THE CONTENT WHICH IS CLOSE TO REAL WTHEN YOU HAVE THE INSTRUCTOR THAT GOES INTO A LOT OF REAL WORLD EXAMPLES. JUST GREAT." -Anonymous

Author Statement

"In describing the advanced persistent threat (APT) and advanced adversaries, many experts have said, 'There are people smarter than you, who have more resources than you, and who are coming for you. Good luck with that.' They were not joking. The results over the past several years clearly indicate that hackers employed by nation-states and organized crime are racking up success after success. The APT has compromised hundreds of organizations. Organized crime organizations using botnets are exploiting ACH fraud daily. Similar groups are penetrating banks and merchants, stealing credit card data. Fortune 500 companies are beginning to detail data breaches and hacks in their annual stockholder reports.

"In other words, the enemy is getting better and bolder, and their success rate is impressive."

"We can stop them, but in order to do so we need to field more sophisticated incident responders and digital forensics investigators. We need lethal digital forensics experts who can detect and eradicate advanced threats immediately. A properly trained incident responder could be the only defense your organization has left during a compromise. Forensics 508: Advanced Digital Forensics and Incident Response is crucial training for you to become the lethal forensicator who can step up to these advanced threats. The enemy is good. We are better. This course will help you become one of the best."